W3C home > Mailing lists > Public > public-xmlsec@w3.org > May 2009

Proposed erratum: SHA-256 for XML Signature 1.0 (ACTION-269)

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 11 May 2009 16:34:45 +0200
Message-Id: <39EABDB0-A733-4B03-8604-A5DCD0240D32@w3.org>
To: XMLSec WG Public List <public-xmlsec@w3.org>
Let's add the following erratum to the list of errata for XML  
Signature 1.0.  It's stretching the errata process a bit; let me know  
what you think.  (I'll check within the Team as well.)

The text is based on what's in the current 1.1 Working Draft.


> Class: substantive

> Affects conformance: yes


> This erratum introduces SHA256 as a recommended algorithm into XML  
> Signature 1.0, and recommends its use over the use of SHA1.  SHA256  
> will be introduced as a mandatory to implement algorithm in XML  
> Signature 1.1.


> Change the initial text in section 6.2 as follows:

> "This specification defines several possible digest algorithms for  
> the DigestMethod element, including REQUIRED algorithm SHA-1 and the  
> RECOMMENDED algorithm SHA-256. Use of SHA-256 is strongly  
> recommended over SHA-1 because recent advances in cryptanalysis have  
> cast doubt on the long-term collision resistance of SHA-1. However,  
> SHA-1 support is REQUIRED in this specification to support  
> interoperability with implementations of prior versions of this  
> specification.
> Digest algorithms that are known not to be collision resistant  
> SHOULD NOT be used in DigestMethod elements. For example, the MD5  
> message digest algorithm SHOULD NOT be used as specific collisions  
> have been demonstrated for that algorithm."

> Add a new section 6.2.2:

> 6.2.2 SHA-256
>

> Identifier: http://www.w3.org/2001/04/xmlenc#sha256
>

> The SHA-256 algorithm [SHA-256] takes no explicit parameters. A  
> SHA-256 digest is a 256-bit string. The content of the DigestValue  
> element shall be the base64 encoding of this bit string viewed as a  
> 32-octet octet stream.
>



--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Monday, 11 May 2009 14:34:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:58 GMT